CVE-2014-0050

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Published Bysecalert@redhat.com

Published DateApr 01, 2014, 06:27

Affected Versions(3)

commons-fileupload:commons-fileupload(Maven)

Introduced0

Fixed1.3.1

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced8.0.0-RC1

Fixed8.0.3

LimitN/A

org.apache.tomcat:tomcat(Maven)

Introduced7.0.0

Fixed7.0.52

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
commons-fileupload:commons-fileupload(Maven)	0	1.3.1	N/A
org.apache.tomcat:tomcat(Maven)	8.0.0-RC1	8.0.3	N/A
org.apache.tomcat:tomcat(Maven)	7.0.0	7.0.52	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

7.5

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL